AI used to help plan the break-in, now it’s doing the break-in

Over the past twelve months, researchers documented intrusions in which AI ran exploitation workflows autonomously, generating thousands of commands across dozens of sessions with minimal human direction, according to Check Point’s AI Security Report 2026.

AI-powered cyber attacks

The attackers posing the greatest risk are those orchestrating AI across multiple stages of the attack chain without requiring human intervention. They achieve this by obtaining capable AI models and removing their safety controls.

Attackers gain AI capabilities by abusing commercial models, using stolen AI credentials, self-hosting freely available open-source models, or purchasing access to AI tools built for cybercrime.

Jailbreaking removes the safeguards that prevent AI models from following malicious instructions. Attackers use carefully crafted prompts to bypass safety controls, although these techniques are regularly patched. A more persistent approach targets AI coding agents by placing malicious instructions in files such as CLAUDE.md, which are automatically loaded at the start of every session. Once planted, the jailbreak remains active until the file is removed.

AI is widely used to develop malware by generating, refining, and debugging code, allowing less experienced attackers to produce more capable tools. Criminal groups and nation-state actors increasingly rely on AI-assisted development. A smaller but growing category of malware also communicates with AI models during execution to generate commands or adapt its behavior in real time.

AI can reason about code well enough to accelerate vulnerability discovery and exploit development. The time between public disclosure and a working exploit continues to shrink, with attackers often producing exploits within hours of a vulnerability becoming public. The speed of testing and deploying patches is becoming the primary bottleneck.

Attacking AI systems

Organizations have integrated AI into email, documents, code, browsers, and business workflows, giving it access to sensitive data and the ability to act on users’ behalf. AI has become part of enterprise environments, creating a growing attack surface. Most attacks targeting AI systems fall into two broad categories: AI-specific risks and traditional software vulnerabilities.

Language models process instructions and data as a single stream of text without distinguishing between them. This allows untrusted content to be interpreted as instructions instead of data, enabling prompt injection, malicious configuration files, and memory manipulation.

AI tools inherit the same weaknesses as other software. Autonomous AI agents expand those risks by operating with excessive privileges, installing new components, and trusting external inputs with little human oversight.

“The expertise barrier that separated capable attackers from the rest is disappearing, and defenders can no longer assume a human is setting the pace on the other side. The organizations that stay ahead will be the ones that govern how AI is used, secure the AI systems they now depend on, and defend at machine speed rather than human speed,” said Lotem Finkelstein, VP, Check Point Research.

Digital identity threats

Generative AI is changing how trust is established by making it possible to create convincing identities at scale. A familiar voice, a face on a video call, a government ID, or a live conversation once served as reasonable proof of identity. Each of these can be synthesized at low cost with a high degree of realism.

Generative identity attacks have progressed from pre-recorded content to real-time interaction and autonomous operation. Nearly every stage has already appeared in real-world attacks or is available through criminal marketplaces. Autonomous, interactive video remains the only notable exception.

AI security report 2026

Generative identity threats by media type and maturity (Source: Check Point)

Even trained observers correctly identified AI-generated faces only about 41% of the time, compared with roughly 30% for the general public.

Social engineering was the dominant attack vector in 2025, expanding beyond email into coordinated campaigns using phone calls, messaging apps, collaboration platforms such as Microsoft Teams and Slack, fake websites, and live impersonation.

Multi-channel attacks have become standard practice and played a central role in major breaches, including Scattered Spider’s attacks on Marks & Spencer and Jaguar Land Rover, as well as ShinyHunters’ phone-based campaign targeting Salesforce customers. The FBI attributes more than $250 million in losses to voice-enabled fraud alone.

Enterprise AI data exposure

Between October 2025 and May 2026, generative AI became an integral part of organizational productivity across multiple business functions. During that period, between 87% and 93% of organizations experienced at least one high-risk AI interaction each month.

Europe recorded the highest share of high-risk prompts, followed by Latin America and North America. The small gap indicates AI-related data exposure is a global challenge with limited regional variation. Europe also demonstrates that privacy regulation alone does not prevent risky AI use, while Latin America recorded the fastest increase during the reporting period.

Business services recorded the highest rate of high-risk prompts, followed by wholesale and distribution, and telecommunications. Business services also experienced the fastest growth, reflecting broader AI adoption for documents, communications, and customer interactions, where sharing additional context increases the risk of exposing sensitive information.

Securing AI infrastructure

Companies building AI infrastructure through dedicated LLM environments, AI factories, and hardware-based deployments expand the attack surface across hardware workloads, containers, inference APIs, and LLM endpoints.

The most dangerous part of the AI attack surface is often the one organizations cannot see. Exposed model servers, agent control panels, and inference endpoints are continuously probed by attackers, while many organizations lack visibility into these assets.

Don't miss